Beware financial malware that's trying to harvest usernames and passwords from a major newspaper's website.

That unusual warning comes by way of security firm ESET, which said it's observed financial malware known variously as Gataka and Tatanga being used in four recent attack campaigns. Targets include banks in Germany and the Netherlands, as well as an attack that's "trying to obtain accounts on a major U.S. newspaper's website by performing brute-force guesses of usernames and their passwords," said Jean-Ian Boutin, a malware researcher at ESET. "If this process is successful, the account information could possibly then be used to harvest private information or access paid content."

In all the campaigns, ESET observed the malware connecting with between three and ten different hacked Web pages, which served as proxies for the botnet's command-and-control (C&C) server. Boutin estimated that the underlying botnet contained "somewhere between 20,000 and 40,000 infected hosts," with the vast majority of compromised--or zombie--PCs located in Germany.

The Gataka malware itself was first detailed by S21sec in February 2011. The security firm dubbed the Trojan application, written in C++, as being "rather sophisticated" given its ability to hide on infected systems. It does that in part by downloading encrypted modules--in the form of DLL files--after it infects a system. According to S21sec, these modules or plug-ins offer additional functionality and are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software.

"In fact, when only the main component is present, there is not much functionality available to the bot-master," said ESET's Boutin. In addition, the malware in many cases also downloaded HTTP injection configuration, providing customized attack capabilities for targeted sites.

S21sec has likened the malware, aimed at banks in Germany, Portugal, Spain, the United Kingdom, to SpyEye, noting that "it can perform automatic transactions, retrieving the mules [the latest information on details of legitimate bank accounts used by criminals and their money mules to launder stolen funds] from a server, and spoofing the real balance and banking operations of the users."

"Depending on the targeted bank, the Trojan can passively grab the credentials or ask for more in order to make the fraudulent transaction [succeed] in the user session," said S21sec. "In some cases the requested credentials include the [over the phone] mobile key," meaning the malware can run a social-engineering attack to trick users into sharing a one-time PIN sent by their bank, to be used to authorize a transaction initiated by the malware.

Once the malware infects a system, it can also grab email addresses, detect and delete other installed malware--including Zeus--encrypt its communications with C&C servers, and record all HTTP traffic. To do that, a malware module known as Interceptor creates a proxy server on the local machine so that all outbound and inbound network traffic can be examined, according to ESET. "In the case of HTTPS traffic, fake certificates--encrypted in the plug-in resources--are used between the client and the proxy server," ESET explained. "The browser certificate checking functions are also patched, in an attempt to hide to the user that fake certificates are used."

Whoever is behind the malware also offers frequent updating. "When communicating with the C&C, the client provides a list containing all its installed plug-ins and their versions," said Boutin. "The server can then send updated or new plug-ins to the Trojan. In one of [Gataka's] campaigns that we followed, we observed updates to the main component every two to three days, while the plug-ins did not evolve significantly. These updates seemed to be mostly for evading detection by anti-malware software."

The malicious code highlights how when it comes to malware, would-be attackers have multiple options. "Gataka might not be as widely deployed by bot masters as SpyEye or Zeus, but it can achieve similar goals," said Boutin. "Will its modular and stable architecture attract more cyber thieves in the future? It would not be surprising, but only time will tell."

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Welcome to
TechWeb, the IT professional's online resource for news coverage of the
information technology industry. We know technology news. Our mobile
and wireless news coverage moves as fast as wireless technology itself.
We follow all the devices you depend on to stay connected. Our software
coverage follows the multi-faceted software industry from every angle.
We've got a lock on network security and computer security issues.
We're all over the business of the Web--the Internet business--and the
engines that run it. We have our eyes and ears tuned to the players who
make and run the tools that tie us all together--Google, Microsoft,
eBay, Cisco, Yahoo, Oracle, Apple, Sony--and scores of others. And we
keep close tabs on the backbone of information technology, PC hardware.
We know PCs and Apple computers inside and out. We cover computer
technology, computer news, software news, search engine news, business
software, operating systems, and software development. Our coverage of
tech news includes a strong focus on the security business, its
attendant spyware and viruses, how security relates to wireless
technology and business networking and the security issues surrounding
RFID technology. We closely follow developments in Internet news and
Internet technology, including the spread of broadband and its effect
on Web browsers and the Web business. We watch the VoIP business, and
how VoIP technology is affecting the state of telephony in the
enterprise. And if all that isn't enough, we also track developments in
the IT industry that affect IT jobs, IT careers, and outsourcing.